Install the Enforcer

You can install Enforcers on bare metal servers or virtual machines (VMs) running on private clouds or on-prem.
The following procedures cover the Enforcer installation in these environments.

Prerequisites

Review the system requirements. Deploying Enforcers requires that namespaces be present in your environment. If you don’t have any suitable namespaces in your environment, create the namespaces before deploying Enforcers.

Linux

  1. Navigate to the
    Namespace
    of the group where you want to deploy the Enforcer. From there, go to the
    Agent > Deploy
    page.
  2. Select
    Single Enforcer
    .
  3. Set the
    Platform Type
    to
    Linux
    .
  4. Set the
    Registration Type
    to
    Standard
    .
  5. If you want to add custom tags to your Enforcer use them in a RuleSet, add them under
    Tags
    .
  6. Copy the resulting installation script and run it on your VMs to install the Enforcer.

Windows Servers and Clients

  1. Navigate to the
    Namespace
    of the group where you want to deploy the Enforcer. From there, go to the
    Agent > Deploy
    page.
  2. Select
    Single Enforcer
    .
  3. Set the
    Platform Type
    to
    Windows
    .
  4. Set the
    Registration Type
    to
    Standard
    .
  5. If you want to add custom tags to your Enforcer use them in a RuleSet, add them under
    Tags
    .
  6. Copy the resulting installation script and run it on your servers and clients to install the Enforcer.

Install Enforcers on Public Cloud Instances with Auto-Registration

The difference between an Enforcer deployed on-prem and an Enforcer deployed on a public cloud is the registration method.
On-prem Enforcers use a short-lived microsegmentation token. Cloud resources using Cloud Auto-Registration use a token signed by the cloud provider, which allows the Enforcer to retrieve cloud provider metadata.
Use the cloud auto-registration method to install the Enforcer on your cloud provider. Using cloud auto-registration ensures that the Enforcer uses short-lived tokens and retrieves the cloud provider’s metadata. Any new virtual machine (VM) with cloud provider role attached to it and with the Enforcer binary is then automatically registered to the namespace.
Cloud Auto-Registration is available on the following cloud service providers (CSPs).
  • AWS
  • Azure
  • GCP.
For other public cloud providers, you should complete the Enforcer installation on your VMs.
To use cloud auto-registration for your Enforcers, complete the following steps.
  1. Provide your instances the needed permissions.
  2. Create platform-specific auto-registration policies.
  3. Install your Enforcers.

Required Permissions for Enforcers in Public Cloud Instances

You can install Enforcers on public cloud instances, but your instances must have the following permissions assigned to retrieve the cloud service provider (CSP) and any custom metadata from the CSP metadata server.
Cloud Service Provider
Permission
AWS
IAM role attached to the instance, requires the ec2:DescribeTags permission
Azure
Host VM Identity requires the "Reader Role" permission
GCP
Service Account attached to the instance requires "Read Only" permission to Compute Service
Once your instances have the needed permissions, you can complete the following procedures to install your Enforcers on public cloud instances.

Create Auto-Registration for AWS Accounts

  1. Obtain your AWS cloud account number.
  2. On Prisma Cloud, navigate to the
    Namespace
    of the group where you want to deploy the Enforcer.
  3. Click on the
    Authorizations
    tab.
  4. Click on the + button.
  5. Select
    Create a cloud auto-registration policy
    .
  6. Go to
    Auto-registration
    .
  7. Under
    Cloud Provider
    , select
    AWS
    .
  8. Under
    Claims
    , enter your AWS account ID, for example: account=<your AWS account id>.
  9. Click
    Next
    to finish creating the auto-registration policy.

Create Auto-Registration for Azure Subscriptions

  1. Obtain your Azure subscription ID or Tenant ID.
  2. On Prisma Cloud, navigate to the
    Namespace
    of the group where you want to deploy the Enforcer.
  3. Click on the
    Authorizations
    tab.
  4. Click on the + button.
  5. Select
    Create a cloud auto-registration policy
    .
  6. Go to
    Auto-registration
    .
  7. Under
    Cloud Provider
    select
    Azure
    .
  8. Under
    Claims
    , enter your subscription ID or tenant ID, for example: subscriptions=<your Azure subscription> or tenantid=<your Azure tenant id>
  9. Click
    Next
    to finish creating the auto-registration policy.

Create Auto-Registration for GCP Projects

  1. Obtain your GCP project ID.
  2. On Prisma Cloud, navigate to the
    Namespace
    of the group where you want to deploy the Enforcer.
  3. Click on the
    Authorizations
    tab.
  4. Click on the + button.
  5. Select
    Create a cloud auto-registration policy
    .
  6. Go to
    Auto-registration
  7. Under
    Cloud Provider
    select
    GCP
  8. Under
    Claims
    , enter your project ID, for example projectid=<your GCP project ID>
  9. Click
    Next
    to finish creating the auto-registration policy.

Create an Auto-Registration Policy using the CLI

To include the creation of the auto-registration policy in your automation, you can use a single command using the apoctl command-line utility.
Use the following example to create an auto-registration policy. Replace the <placeholders> with the appropriate values for your CSP and environment.
apoctl api create apiauth \ -n '<namespace>' \ -k name '<cloud autoregistration name>' \ -k subject '[["@auth:realm=<source>", "@auth:<CSP account>"]]' \ -k authorizedNamespace '<namespace>' \ -k authorizedIdentities '["@auth:role=enforcer"]'

Linux

Before you begin, ensure that an auto-registration policy already exists.
  1. Navigate to the
    Namespace
    of the group where you want to deploy the Enforcer. From there, go to the
    Agent > Deploy
    page.
  2. Select
    Single Enforcer
    .
  3. Set the
    Platform Type
    to
    Linux
    .
  4. Set the
    Registration Type
    to
    Cloud Autoregistration
    .
  5. Copy the resulting installation script and run it on your VMs to install the Enforcer.

Windows

Before you begin, ensure that an auto-registration policy already exists.
  1. Navigate to the
    Namespace
    of the group where you want to deploy the Enforcer. From there, go to the
    Agent > Deploy
    page.
  2. Select
    Single Enforcer
    .
  3. Set the
    Platform Type
    to
    Windows
    .
  4. Set the
    Registration Type
    to
    Cloud Autoregistration
    .
  5. Copy the resulting installation script and run it on your clients and servers to install the Enforcer.

Enforcer Tags

Enforcer tags are used when you want to create tags for the Enforcer itself. This capability is very useful on environments where security administrators have no permissions to create or modify existing workload tags.
In such cases, administrators can use Enforcer tags as a way to use custom tags on rulesets, and then reference the tags when installing an Enforcer.

Install the Kubernetes CRD Operator

The Kubernetes (k8s) CRD Operator allows you to use the kubectl CLI to manage CNS objects without using the apoctl CLI. You can also use the secret of the namespace as a token to communicate with the CNS API server without having to include the application credentials. This method allows you to automate managing CNS objects and removes the dependency on the apoctl CL.
To install the api-server, add the --install-aggregated-apiserver flag as an argument during a K8s Enforcer installation.
For additional information on how use the api-server to manage microsegmentation objects in K8s, please visit the API server page.

Advanced Options

These are several aspects of an enforcer configuration that are controlled by using advanced flags during an enforcer install.

Host Mode

When Host mode is enabled, the enforcer protects your Kubernetes pods, containers and nodes. You can only change the protection mode when installing the enforcer. To change the protection mode from container to host mode, you need to reinstall the enforcer.
To enable host mode, you must use the --raw-flags --enable-host-mode advanced configuration option when installing the enforcer. Alternatively, you can enable host mode directly in the Prisma Cloud administrative console.
For additional information on how use the api-server to manage microsegmentation objects in K8s, please visit the API server page.

Enable Proxy Support

Enforcers require access to Prisma Cloud in order to send telemetry data and receive updates and in some environments this can only be achieved through a non-transparent proxy.
Enforcers support adding a proxy endpoint during install, in order to support such use cases.
TLS terminating proxies are not supported.
During the enforcer installation, expand the
Advanced
option and add the proxy information, as follows:
  • Proxy Address
    — IP address or fully qualified domain name (FQDN) of the proxy server, alongside the protocol and port information: example http://proxy.example.com:8080
  • Proxy Credential
    — User and Password credentials for proxies that require authentication (optional)
  • Proxy Server CA
    — When the proxy server requires a private CA certificate to be used during connection (optional). Upload the proxy certificate in .pem file format.

Enable IPv6

By default,enforcers ignore IPv6 traffic. If you have IPv6 in your environment and wish to monitor and control these connections, use the --raw-flags --enable-ipv6 flag during installation.

Token Expiration

You can control for how long you want the microsegmentation token to be valid during an enforcer install. The default is 30 minutes, but if you want the value to be lower, you can adjust it for 10 minutes` or if you need the token to be higher, you can adjust it for 1 hour.

Install without activation (Host only)

Output script (Host only)

IP Constraint

Cloud Probes timeout

The enforcer can determine if it is running in a cloud environment, such as AWS, GCP, or Azure. Use the --cloud-probe-timeout to configure the amount of time to wait for these internal probes to complete during installation. Default is two seconds.

Recommended For You